> Gary, may I suggest an alternative response to application firewalls and the > notion that it is hair-brained? Of course this is true but this list is > missing a major opportunity to finally calculate an ROI model. If you ask > yourself, what types of firewalls are pervasively deployed, you would find > that application-firewalls aren't. This would then mean that folks would > either need to replace their existing firewall (very risky that no one would > ever consider), add multiple firewalls which introduce operational > complexity, etc. > > For many shops, having another type of firewall could cost millions whereas > putting tools in the hands of developers may actually be cheaper. We as a > community may be better served by encouraging application firewalls and > letting the financial model for complying work in our favor... >
I think that appfirewalls have value depending on your expectation and situation. If you have a small website that doesn't change much then there may be value. If you are in a serious need to pass PCI or some compliance requirement quickly, an app firewall may buy you some time to address the problem correctly in development. If you have code pushes every 2 weeks with new content being added on a large website you need to understand that you'll need to hire an appfirewall person to constantly tweak rules plus the cost of the licenses. App firewalls are IDS/IPS's and should be treated as such except that the specifics are slightly different because it sits on the web layer which is considerably more complicated and dynamic. I'm an advocate of fixing the problem in the SDLC however one of the things that people fail to consider is SDLC integration with an existing process and large code base takes months, sometimes years to get right. Until it is properly integrated you're left with the decision of fixing vulns one at a time (as they come up) or/and placing additional filtering in place to reduce risk. Regards, - Robert Auger http://www.cgisecurity.com/ Application security news and more http://www.webappsec.org/ The Web Application Security Consortium http://www.qasec.com/ Software Security Testing _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
